That will allow anyone on our domain to access the reports. I want to restrict it to just a few.

Ideally I would furnish Tomcat with a set of usernames *and* then authenticate via NTLM but i don't think I can do that.

I do not want to add a new AD group for BIRT, so am thinking of performing the restriction within the report itself. The above link suggests a way to get the logged in username via an Initialize function but how do I make use of that?

I am thinking that I should put some code in beforeFactory that checks the passed username value against a list and either goes on to display the report OR outputs a message saying the user is not authorised.

However, I am clueless on how to achieve this or even if there is a better was of doing this?

If you could grab the username and had access to a list to cross check if they should be able to view the report, you could drop all elements, in your beforeFactory script except for a label stating that the user doesn't have access to the report.

Thanks for this idea. I came across the show/hide elements elsewhere. At the moment I have a global JS function isValidUsername() that just checks against a hard-coded list. If it's not on the list it hides the main table and shows a pop-up message.

What I really would like to do is look up the passed login name in some database table and if it exists as a record there then it is valid. So my isValidUsername() function needs to perform a database query to check if a particular record exists and get the result.

So I am stuck again, if anyone knows how to achieve this, I would be grateful.

Not show/hide. Actually drop the elements. You should be able to create a dataSet in your report that checks your user. Then, you could use the data engine api to check the results of the dataSet, in your beforeFactory. If the user doesn't check out, you can drop all of the tables in the report so that none of the datasets even run and show an error label. You could also just connect to your db in script and check for the username without the data engine api.

I have a follow up question, though, and could start a new thread but you may know.

Is there a way, within the script, to tell if the report is currently being run locally via the report designer rather than via the web viewer? When testing the report, I don't have access to the LDAP authentication username, so would want the option to bypass that check.

var request = reportContext.getHttpServletRequest();
if (request!=null) {
if (request.getServerName() == '127.0.0.1')
{
// This is running locally so can we assume from the report designer?
// Do valid stuff when run locally
}
else
{
// do stuff when run remotely
}
}

Though, of course, the above could also apply when running the report via the web viewer when logged in to the server.